000031206 - Incident Management service is not working due to missing user in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031206
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management, Security Analytics Server
RSA Version/Condition: 10.5.x
Platform: CentOS
Platform (Other): MongoDB, Puppet
O/S Version: EL6
IssueThe Incident Management service may malfunction and cause the /var/log/tokumx/tokumx.log file to fill up on the Security Analytics server.
CauseThis issue occurs because the "im" user should exist in the MongoDB  database in order for the Incident Management module to function properly.
If the user is not present , the following error is displayed in the /var/log/tokumx/tokumx.log file:

Mon Sep 7 06:13:49.473 [conn3598] auth: couldn't find user im@im, im.system.users

WorkaroundTo create the missing "im" user in the MongoDB database, follow the steps below.
  1. Connect to the Security Analytics server via SSH as the root user.
  2. Issue the following command to access the MongoDB shell:  mongo
  3. Copy and paste the command below at the shell prompt to create the user with the appropriate permissions.
    db.getSiblingDB('im').addUser( { user: "im", pwd: "im", roles: ["readWrite", "dbAdmin"]} )

  4. Type exit to return to the CentOS prompt.
  5. Restart the Incident Management service with the following command:  service rsa-im restart
  6. Perform a puppet catalog run with the following command:  puppet agent -t
  7. Examine the /var/log/tokumx/tokumx.log file to ensure that the errors are no longer occurring.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesThe screenshot below illustrates the process of creating the "im" user within the MongoDB database on the Security Analytics server.
User-added image